Vundo and possibly others

got_bugs? · 04-21-2007, 11:34 PM

Here's my nasty time consumer
Regular pop-ups with mcafee, mostly Vundo. Today started the occasional newwin32. Some I was able to quarantine, others I couldn't. Ran many online scans.

Activescan results

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Curt\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\11b6709.rbf
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/PRScheduler

Hijack this log

Deckard's System Scanner v20070411.38
Run by Curt on 2007-04-21 at 22:11:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Curt.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:11:05 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Curt\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Curt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {96019D41-2A36-4222-8048-6401771C5C08} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {C922E3DC-6239-4255-BFC0-A6D355B3873D} - C:\WINDOWS\system32\byxwxyy.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: byxwxyy - C:\WINDOWS\SYSTEM32\byxwxyy.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-- Files created between 2007-03-21 and 2007-04-21 -----------------------------

2007-04-21 20:52:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-21 20:52:31 0 d-------- C:\WINDOWS\LastGood
2007-04-21 20:07:18 0 d-------- C:\Documents and Settings\Curt\Application Data\Lavasoft
2007-04-21 20:07:02 0 d-------- C:\Program Files\Lavasoft
2007-04-21 17:20:40 0 d-------- C:\Documents and Settings\Curt\.housecall6.6<HOUSEC~1.6>
2007-04-21 11:38:34 0 d-------- C:\Documents and Settings\Curt\Application Data\TrojanHunter<TROJAN~1>
2007-04-21 09:56:38 0 d-------- C:\Program Files\TrojanHunter 4.6<TROJAN~1.6>
2007-04-21 08:49:45 2476 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-21 08:33:02 0 d-------- C:\Program Files\CCleaner
2007-04-20 21:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-20 18:42:46 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-04-20 18:42:46 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-20 18:42:46 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-04-19 21:40:10 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-19 18

37 0 d-------- C:\Documents and Settings\Curt\Application Data\Yahoo!
2007-04-18 21:19:33 26678 --a------ C:\WINDOWS\system32\byxwxyy.dll
2007-04-09 18:44:15 0 d-------- C:\Program Files\Advanced Speed Typing<ADVANC~1>
2007-04-09 18:44:03 299520 --a------ C:\WINDOWS\uninst.exe
2007-04-09 08:36:03 0 d-------- C:\Program Files\DellSupport<DELLSU~2>

-- Find3M Report ---------------------------------------------------------------

2007-04-21 21:46:11 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MICROS~4>
2007-04-21 20

10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-21 09:40:34 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>
2007-04-20 21:04:26 0 d-------- C:\Documents and Settings\Curt\Application Data\AdobeUM
2007-04-19 23:05:22 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-19 23:05:12 0 d-------- C:\Program Files\Yahoo!
2007-04-19 19:29:48 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>
2007-04-18 18:46:57 0 d-------- C:\Program Files\Java
2007-04-16 07:29:36 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-16 07:29:36 56 -r-hs---- C:\WINDOWS\system32\092C19999C.sys<092C19~1.SYS>
2007-04-09 20:28:06 0 d-------- C:\Documents and Settings\Curt\Application Data\Skype
2007-04-09 17:41:02 0 d-------- C:\Program Files\EPSON
2007-04-09 08:50:27 0 d--h----- C:\Documents and Settings\Curt\Application Data\Gtek
2007-04-07 12:32:09 0 d-------- C:\Documents and Settings\Curt\Application Data\Identities<IDENTI~1>
2007-04-07 12:10:29 0 d-------- C:\Program Files\WordPerfect Office 12<WORDPE~1>
2007-04-07 12:09:51 0 d-------- C:\Program Files\Kyodai Mahjongg<KYODAI~1>
2007-04-07 12:09:39 0 d-------- C:\Program Files\Intel
2007-04-07 12:09:39 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-07 12:09:31 0 d-------- C:\Program Files\DivX
2007-04-07 12:09:29 0 d-------- C:\Program Files\Creative
2007-04-07 12:09:27 0 d-------- C:\Program Files\Common Files\AOL
2007-03-17 06:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-10 12:36:55 0 d-------- C:\Program Files\LastChaosUSA<LASTCH~1>
2007-03-08 08:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 15:15:01 0 d-------- C:\Program Files\Diablo II<DIABLO~1>
2007-02-25 15:14:44 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-24 09:55:23 0 d-------- C:\Program Files\Kodak
2007-02-24 09:55:06 0 d-------- C:\Program Files\Common Files\Kodak
2007-02-05 13:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Logitech Utility"="Logi_MwX.Exe"
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"MPFEXE"="\"C:\\Program Files\\McAfee.com\\Personal Firewall\\MPFTray.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe "
"item"="Ulead Photo Express 4.0 SE Calendar Checker "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Curt^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AHQTB"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTLauncher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NewsUpd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FirebirdServerDefaultInstance"=dword:00000003
"FirebirdGuardianDefaultInstance"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"EPSONStatusAgent2"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C922E3DC-6239-4255-BFC0-A6D355B3873D}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoStartMenuMFUprogramsList"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwxyy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-21 at 22:11:31 ---------

I see way too many things I don't like here

got_bugs? · 04-22-2007, 09:45 AM

Here's a few pop-ups Mcafee found recently

lo1[1]
ddcyy.dll
awvvs.dll
awtss.dll
brskncys.dll
jkhhf.dll - common recurring
above were recognized as vundo

exploit.bmp trojan
XG9.exe

some other incidents popped up as malformed archive trojan

tetonbob · 04-23-2007, 06:15 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Deckard's System Scanner should also have produced a second log, extra.txt Please post it in your next reply.

---------------------------------------------------------------------------------------------

I see you have more than one Anti-Virus program installed, NOD32 and McAfee. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Download ComboFix from one of these locations:
- http://www.techsupportforum.com/sect...s/ComboFix.exe
- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

got_bugs? · 04-23-2007, 08:26 PM

Deckards is not producing another extra text, so I'm including the one produced from my original post.

"Curt" - 07-04-23 19:09:07 Service Pack 2
ComboFix 07-04-22.4V - Running from: "C:\Documents and Settings\Curt\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))

2007-04-23 18:51 <DIR> d-------- C:\Deckard
2007-04-21 20:52 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-21 20:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-21 20:07 <DIR> d-------- C:\DOCUME~1\Curt\APPLIC~1\Lavasoft
2007-04-21 17:20 <DIR> d-------- C:\DOCUME~1\Curt\.housecall6.6
2007-04-21 11:38 <DIR> d-------- C:\DOCUME~1\Curt\APPLIC~1\TrojanHunter
2007-04-21 09:56 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-04-21 08:49 2,476 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-21 08:33 <DIR> d-------- C:\Program Files\CCleaner
2007-04-19 21:40 <DIR> d-------- C:\VundoFix Backups
2007-04-19 18:06 <DIR> d-------- C:\DOCUME~1\Curt\APPLIC~1\Yahoo!
2007-04-09 18:44 299,520 --a------ C:\WINDOWS\uninst.exe
2007-04-09 18:44 <DIR> d-------- C:\Program Files\Advanced Speed Typing
2007-04-09 08:36 <DIR> d-------- C:\Program Files\DellSupport

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-21 21:46 -------- d-------- C:\Program Files\microsoft intellitype pro
2007-04-21 20:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-21 09:40 -------- d-------- C:\Program Files\enigma software group
2007-04-19 23:05 -------- d-------- C:\Program Files\yahoo!
2007-04-19 23:05 -------- d-------- C:\Program Files\Common Files\scanner
2007-04-19 19:29 -------- d-------- C:\Program Files\pcpitstop
2007-04-16 07:29 56 -r-hs---- C:\WINDOWS\system32\092c19999c.sys
2007-04-16 07:29 1682 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-04-09 20:28 -------- d-------- C:\DOCUME~1\Curt\APPLIC~1\skype
2007-04-09 17:41 -------- d-------- C:\Program Files\epson
2007-04-07 12:10 -------- d-------- C:\Program Files\wordperfect office 12
2007-04-07 12:09 -------- d--h----- C:\Program Files\installshield installation information
2007-04-07 12:09 -------- d-------- C:\Program Files\kyodai mahjongg
2007-04-07 12:09 -------- d-------- C:\Program Files\intel
2007-04-07 12:09 -------- d-------- C:\Program Files\divx
2007-04-07 12:09 -------- d-------- C:\Program Files\creative
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-10 12:36 -------- d-------- C:\Program Files\lastchaosusa
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 15:15 -------- d-------- C:\Program Files\diablo ii
2007-02-25 15:14 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-25 12:10 5376 --a-s---- C:\WINDOWS\system32\drivers\dsunidrv.sys
2007-02-24 09:55 -------- d-------- C:\Program Files\kodak
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{96019D41-2A36-4222-8048-6401771C5C08} C:\WINDOWS\system32\jkhhf.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Logitech Utility"="Logi_MwX.Exe"
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"MPFEXE"="\"C:\\Program Files\\McAfee.com\\Personal Firewall\\MPFTray.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoStartMenuMFUprogramsList"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe "
"item"="Ulead Photo Express 4.0 SE Calendar Checker "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Curt^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AHQTB"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTLauncher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NewsUpd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FirebirdServerDefaultInstance"=dword:00000003
"FirebirdGuardianDefaultInstance"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"EPSONStatusAgent2"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (CRAZYHORSE-Curt).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 19:12:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-23 19:12:29
C:\ComboFix-quarantined-files.txt ... 07-04-23 19:12

Deckard's System Scanner v20070411.38
Run by Curt on 2007-04-23 at 19:23:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Curt.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:23:44 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Curt\Desktop\dss(2).exe
C:\PROGRA~1\HIJACK~1\Curt.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {96019D41-2A36-4222-8048-6401771C5C08} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-- Files created between 2007-03-23 and 2007-04-23 -----------------------------

2007-04-23 19:12:30 428032 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-23 19:12:29 49152 --a------ C:\WINDOWS\system32\vfind.exe
2007-04-23 19:12:29 212480 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-23 19:12:29 370688 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-23 19:12:29 38400 --a------ C:\WINDOWS\system32\moveex.exe
2007-04-23 19:12:29 49152 --a------ C:\WINDOWS\nircmd.exe
2007-04-23 19:12:29 86528 --a------ C:\WINDOWS\catchme.exe
2007-04-21 20:52:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-21 20:07:18 0 d-------- C:\Documents and Settings\Curt\Application Data\Lavasoft
2007-04-21 20:07:02 0 d-------- C:\Program Files\Lavasoft
2007-04-21 17:20:40 0 d-------- C:\Documents and Settings\Curt\.housecall6.6<HOUSEC~1.6>
2007-04-21 11:38:34 0 d-------- C:\Documents and Settings\Curt\Application Data\TrojanHunter<TROJAN~1>
2007-04-21 09:56:38 0 d-------- C:\Program Files\TrojanHunter 4.6<TROJAN~1.6>
2007-04-21 08:49:45 2476 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-21 08:33:02 0 d-------- C:\Program Files\CCleaner
2007-04-20 21:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-19 21:40:10 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-19 18

37 0 d-------- C:\Documents and Settings\Curt\Application Data\Yahoo!
2007-04-09 18:44:15 0 d-------- C:\Program Files\Advanced Speed Typing<ADVANC~1>
2007-04-09 18:44:03 299520 --a------ C:\WINDOWS\uninst.exe
2007-04-09 08:36:03 0 d-------- C:\Program Files\DellSupport<DELLSU~2>

-- Find3M Report ---------------------------------------------------------------

2007-04-21 21:46:11 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MICROS~4>
2007-04-21 20

10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-21 09:40:34 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>
2007-04-20 21:04:26 0 d-------- C:\Documents and Settings\Curt\Application Data\AdobeUM
2007-04-19 23:05:22 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-19 23:05:12 0 d-------- C:\Program Files\Yahoo!
2007-04-19 19:29:48 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>
2007-04-18 18:46:57 0 d-------- C:\Program Files\Java
2007-04-16 07:29:36 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-16 07:29:36 56 -r-hs---- C:\WINDOWS\system32\092C19999C.sys<092C19~1.SYS>
2007-04-09 20:28:06 0 d-------- C:\Documents and Settings\Curt\Application Data\Skype
2007-04-09 17:41:02 0 d-------- C:\Program Files\EPSON
2007-04-09 08:50:27 0 d--h----- C:\Documents and Settings\Curt\Application Data\Gtek
2007-04-07 12:32:09 0 d-------- C:\Documents and Settings\Curt\Application Data\Identities<IDENTI~1>
2007-04-07 12:10:29 0 d-------- C:\Program Files\WordPerfect Office 12<WORDPE~1>
2007-04-07 12:09:51 0 d-------- C:\Program Files\Kyodai Mahjongg<KYODAI~1>
2007-04-07 12:09:39 0 d-------- C:\Program Files\Intel
2007-04-07 12:09:39 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-07 12:09:31 0 d-------- C:\Program Files\DivX
2007-04-07 12:09:29 0 d-------- C:\Program Files\Creative
2007-04-07 12:09:27 0 d-------- C:\Program Files\Common Files\AOL
2007-03-17 06:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-10 12:36:55 0 d-------- C:\Program Files\LastChaosUSA<LASTCH~1>
2007-03-08 08:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 15:15:01 0 d-------- C:\Program Files\Diablo II<DIABLO~1>
2007-02-25 15:14:44 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-24 09:55:23 0 d-------- C:\Program Files\Kodak
2007-02-24 09:55:06 0 d-------- C:\Program Files\Common Files\Kodak
2007-02-05 13:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Logitech Utility"="Logi_MwX.Exe"
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"MPFEXE"="\"C:\\Program Files\\McAfee.com\\Personal Firewall\\MPFTray.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe "
"item"="Ulead Photo Express 4.0 SE Calendar Checker "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Curt^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AHQTB"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTLauncher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NewsUpd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FirebirdServerDefaultInstance"=dword:00000003
"FirebirdGuardianDefaultInstance"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"EPSONStatusAgent2"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoStartMenuMFUprogramsList"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-23 at 19:23:59 ---------

got_bugs? · 04-23-2007, 08:31 PM

Also of note, when I ran Combofix, windows installer started, and was trying to install Word Perfect office 12 which is already installed. The installer restarted itself several times after I cancelled installation each time.

tetonbob · 04-23-2007, 09:12 PM

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous versions when you update, nor tell you that you should.

Leave Java(TM) SE Runtime Environment 6 Update 1 alone, as it is the most recent for version 6.

Reboot after uninstall.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {96019D41-2A36-4222-8048-6401771C5C08} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\Documents and Settings\Curt\Favorites\Antivirus Test Online.url

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

got_bugs? · 04-24-2007, 06:42 AM

Upon reboot, windows installer was trying yet again to install word perfect 12. Is this of any concern? I've been stopping it each time

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 24, 2007 5:38:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/04/2007
Kaspersky Anti-Virus database records: 301400
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 128312
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01

59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\cert8.db Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\history.dat Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\key3.db Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\parent.lock Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Curt\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Curt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Application Data\Mozilla\Firefox\Profiles\q5lc074g.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\History\History.IE5\MSHist012007042420070425\index.dat Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Temp\~DFC3BF.tmp Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Curt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Curt\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Curt\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Curt\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe/data.rar/patch.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe/data.rar Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP204\A0026510.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0034712.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP219\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Deckard's System Scanner v20070411.38
Run by Curt on 2007-04-24 at 05:39:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Curt.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:39:56 AM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Curt\Desktop\dss(2).exe
C:\DOCUME~1\Curt\LOCALS~1\Temp\TEMPOR~1.ZIP\Curt.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-- Files created between 2007-03-24 and 2007-04-24 -----------------------------

2007-04-23 22:21:19 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-04-23 22:21:16 0 d-------- C:\WINDOWS\LastGood
2007-04-23 19:12:30 428032 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-23 19:12:29 49152 --a------ C:\WINDOWS\system32\vfind.exe
2007-04-23 19:12:29 212480 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-23 19:12:29 370688 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-23 19:12:29 38400 --a------ C:\WINDOWS\system32\moveex.exe
2007-04-23 19:12:29 49152 --a------ C:\WINDOWS\nircmd.exe
2007-04-23 19:12:29 86528 --a------ C:\WINDOWS\catchme.exe
2007-04-21 20:52:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-21 20:07:18 0 d-------- C:\Documents and Settings\Curt\Application Data\Lavasoft
2007-04-21 20:07:02 0 d-------- C:\Program Files\Lavasoft
2007-04-21 17:20:40 0 d-------- C:\Documents and Settings\Curt\.housecall6.6<HOUSEC~1.6>
2007-04-21 11:38:34 0 d-------- C:\Documents and Settings\Curt\Application Data\TrojanHunter<TROJAN~1>
2007-04-21 09:56:38 0 d-------- C:\Program Files\TrojanHunter 4.6<TROJAN~1.6>
2007-04-21 08:49:45 2476 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-21 08:33:02 0 d-------- C:\Program Files\CCleaner
2007-04-20 21:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-04-19 21:40:10 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-19 18

37 0 d-------- C:\Documents and Settings\Curt\Application Data\Yahoo!
2007-04-09 18:44:15 0 d-------- C:\Program Files\Advanced Speed Typing<ADVANC~1>
2007-04-09 18:44:03 299520 --a------ C:\WINDOWS\uninst.exe
2007-04-09 08:36:03 0 d-------- C:\Program Files\DellSupport<DELLSU~2>

-- Find3M Report ---------------------------------------------------------------

2007-04-23 21:49:28 0 d-------- C:\Program Files\Java
2007-04-21 21:46:11 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MICROS~4>
2007-04-21 20

10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-21 09:40:34 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>
2007-04-20 21:04:26 0 d-------- C:\Documents and Settings\Curt\Application Data\AdobeUM
2007-04-19 23:05:22 0 d-------- C:\Program Files\Common Files\Scanner
2007-04-19 23:05:12 0 d-------- C:\Program Files\Yahoo!
2007-04-19 19:29:48 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>
2007-04-16 07:29:36 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-16 07:29:36 56 -r-hs---- C:\WINDOWS\system32\092C19999C.sys<092C19~1.SYS>
2007-04-09 20:28:06 0 d-------- C:\Documents and Settings\Curt\Application Data\Skype
2007-04-09 17:41:02 0 d-------- C:\Program Files\EPSON
2007-04-09 08:50:27 0 d--h----- C:\Documents and Settings\Curt\Application Data\Gtek
2007-04-07 12:32:09 0 d-------- C:\Documents and Settings\Curt\Application Data\Identities<IDENTI~1>
2007-04-07 12:10:29 0 d-------- C:\Program Files\WordPerfect Office 12<WORDPE~1>
2007-04-07 12:09:51 0 d-------- C:\Program Files\Kyodai Mahjongg<KYODAI~1>
2007-04-07 12:09:39 0 d-------- C:\Program Files\Intel
2007-04-07 12:09:39 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-07 12:09:31 0 d-------- C:\Program Files\DivX
2007-04-07 12:09:29 0 d-------- C:\Program Files\Creative
2007-04-07 12:09:27 0 d-------- C:\Program Files\Common Files\AOL
2007-03-17 06:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-10 12:36:55 0 d-------- C:\Program Files\LastChaosUSA<LASTCH~1>
2007-03-08 08:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-25 15:15:01 0 d-------- C:\Program Files\Diablo II<DIABLO~1>
2007-02-25 15:14:44 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-02-24 09:55:23 0 d-------- C:\Program Files\Kodak
2007-02-24 09:55:06 0 d-------- C:\Program Files\Common Files\Kodak
2007-02-05 13:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"Logitech Utility"="Logi_MwX.Exe"
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"MPFEXE"="\"C:\\Program Files\\McAfee.com\\Personal Firewall\\MPFTray.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
"backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
"item"="EPSON Status Monitor 3 Environment Check 2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe "
"item"="Ulead Photo Express 4.0 SE Calendar Checker "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Curt^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AHQTB"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTLauncher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InCD"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NewsUpd"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Reminder"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FirebirdServerDefaultInstance"=dword:00000003
"FirebirdGuardianDefaultInstance"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"EPSONStatusAgent2"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoStartMenuMFUprogramsList"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of Deckard's System Scanner: finished at 2007-04-24 at 05:40:13 ---------

tetonbob · 04-24-2007, 10:19 AM

Quote:

Also of note, when I ran Combofix, windows installer started, and was trying to install Word Perfect office 12 which is already installed. The installer restarted itself several times after I cancelled installation each time.

What happens if you allow it to continue?

got_bugs? · 04-24-2007, 06:57 PM

It tries to configure Word Perfect 12, I'm assuming something may be missing from that program now as it was previously installed. I haven't let it continue and each time I cancel, it restarts, several times.

tetonbob · 04-24-2007, 08:38 PM

Do you have the install disk?

Let it run to completion. It may well repair what's missing.

got_bugs? · 04-24-2007, 10:28 PM

It came preloaded on the machine, but I'm sure I have the disk as well. If it's beneficial at this point, I will dig it out (of a box - recently moved)

tetonbob · 04-24-2007, 10:35 PM

Let the installer run to completion and see if that fixes things. If it asks for the disk, you know you'll need to dig it out of the box.

got_bugs? · 04-25-2007, 06:51 AM

The installer ran, and configured Word. I rebooted, and also ran combofix again to see if the installer started up still, but that part appears to be fixed.

tetonbob · 04-25-2007, 08:11 AM

Good work. It's more likely it was DSS and not ComboFix which was the cause. The author is aware, and has implemented a solution in the latest version so that if it does happen to others, it's more easily cured.

The items found by Kaspersky are in System Restore points, which we'll take care of shortly...other than that, your logs appear clean.

Well done. We still have a few items to address.

Clear & Reset System Restore's Cache

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few very good free Antivirus products which are available:
- AOL Active Virus Shield (powered by Kaspersky Antivirus)
- Avast!
- AVG
- Avira PersonalEdition Classic
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program because they will conflict with each other.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

got_bugs? · 04-25-2007, 07:55 PM

Thank you for the clear and concise instructions. I presently use Macafee, in your opinion, is AVG a better program? I have heard good things about it.

tetonbob · 04-25-2007, 08:33 PM

Any of the free AntiVirus solutions I listed above work well, AVG included.

If McAfee is about to expire, you may want to give AVG a try. I've used it, and found it to be effective.

You may want to have a look here:

http://www.av-comparatives.org/seiten/home.html

got_bugs? · 04-25-2007, 08:47 PM

Thank you for that link, and all your help, as you didn't respond with additional instructions, do I have a clean bill of health? May I ask before you close this, what happens to money donated to the forum? I would like to contribute something, and would like to know where it goes.

tetonbob · 04-25-2007, 09:53 PM

Quote:

as you didn't respond with additional instructions, do I have a clean bill of health?

See post #14....

Quote:

...other than that, your logs appear clean.

Well done. We still have a few items to address.

Yep, from what I can see, you should be good to go.

As far as donations....

Quote:

The money that gets donated are for site improvements, server upgrades and maintenance and other things related to TSF.

http://www.techsupportforum.com/donate.php

Thanks for asking. Happy computing, and Safe Surfing to you.

04-21-2007, 11:34 PM	#1 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Vundo and possibly others Here's my nasty time consumer Regular pop-ups with mcafee, mostly Vundo. Today started the occasional newwin32. Some I was able to quarantine, others I couldn't. Ran many online scans. Activescan results Incident Status Location Adware:adware/securityerror Not disinfected C:\Documents and Settings\Curt\Favorites\Antivirus Test Online.url Potentially unwanted tool:Application/MyWay Not disinfected C:\Config.Msi\11b6709.rbf Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\Process.exe Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Curt\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe] Potentially unwanted tool:Application/PRScheduler Hijack this log Deckard's System Scanner v20070411.38 Run by Curt on 2007-04-21 at 22:11:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Curt.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 10:11:05 PM, on 4/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe c:\program files\mcafee.com\agent\mcagent.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\system32\igfxsrvc.exe c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Curt\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Curt.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {96019D41-2A36-4222-8048-6401771C5C08} - C:\WINDOWS\system32\jkhhf.dll (file missing) O2 - BHO: (no name) - {C922E3DC-6239-4255-BFC0-A6D355B3873D} - C:\WINDOWS\system32\byxwxyy.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O11 - Options group: [INTERNATIONAL] International* O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: byxwxyy - C:\WINDOWS\SYSTEM32\byxwxyy.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- Files created between 2007-03-21 and 2007-04-21 ----------------------------- 2007-04-21 20:52:34 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-21 20:52:31 0 d-------- C:\WINDOWS\LastGood 2007-04-21 20:07:18 0 d-------- C:\Documents and Settings\Curt\Application Data\Lavasoft 2007-04-21 20:07:02 0 d-------- C:\Program Files\Lavasoft 2007-04-21 17:20:40 0 d-------- C:\Documents and Settings\Curt\.housecall6.6<HOUSEC~1.6> 2007-04-21 11:38:34 0 d-------- C:\Documents and Settings\Curt\Application Data\TrojanHunter<TROJAN~1> 2007-04-21 09:56:38 0 d-------- C:\Program Files\TrojanHunter 4.6<TROJAN~1.6> 2007-04-21 08:49:45 2476 --a------ C:\WINDOWS\system32\tmp.reg 2007-04-21 08:33:02 0 d-------- C:\Program Files\CCleaner 2007-04-20 21:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-04-20 18:42:46 298104 --a------ C:\WINDOWS\system32\imon.dll 2007-04-20 18:42:46 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-04-20 18:42:46 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-19 21:40:10 0 d-------- C:\VundoFix Backups<VUNDOF~1> 2007-04-19 1837 0 d-------- C:\Documents and Settings\Curt\Application Data\Yahoo! 2007-04-18 21:19:33 26678 --a------ C:\WINDOWS\system32\byxwxyy.dll 2007-04-09 18:44:15 0 d-------- C:\Program Files\Advanced Speed Typing<ADVANC~1> 2007-04-09 18:44:03 299520 --a------ C:\WINDOWS\uninst.exe 2007-04-09 08:36:03 0 d-------- C:\Program Files\DellSupport<DELLSU~2> -- Find3M Report --------------------------------------------------------------- 2007-04-21 21:46:11 0 d-------- C:\Program Files\Microsoft IntelliType Pro<MICROS~4> 2007-04-21 2010 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-21 09:40:34 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1> 2007-04-20 21:04:26 0 d-------- C:\Documents and Settings\Curt\Application Data\AdobeUM 2007-04-19 23:05:22 0 d-------- C:\Program Files\Common Files\Scanner 2007-04-19 23:05:12 0 d-------- C:\Program Files\Yahoo! 2007-04-19 19:29:48 0 d-------- C:\Program Files\PCPitstop<PCPITS~1> 2007-04-18 18:46:57 0 d-------- C:\Program Files\Java 2007-04-16 07:29:36 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-04-16 07:29:36 56 -r-hs---- C:\WINDOWS\system32\092C19999C.sys<092C19~1.SYS> 2007-04-09 20:28:06 0 d-------- C:\Documents and Settings\Curt\Application Data\Skype 2007-04-09 17:41:02 0 d-------- C:\Program Files\EPSON 2007-04-09 08:50:27 0 d--h----- C:\Documents and Settings\Curt\Application Data\Gtek 2007-04-07 12:32:09 0 d-------- C:\Documents and Settings\Curt\Application Data\Identities<IDENTI~1> 2007-04-07 12:10:29 0 d-------- C:\Program Files\WordPerfect Office 12<WORDPE~1> 2007-04-07 12:09:51 0 d-------- C:\Program Files\Kyodai Mahjongg<KYODAI~1> 2007-04-07 12:09:39 0 d-------- C:\Program Files\Intel 2007-04-07 12:09:39 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-04-07 12:09:31 0 d-------- C:\Program Files\DivX 2007-04-07 12:09:29 0 d-------- C:\Program Files\Creative 2007-04-07 12:09:27 0 d-------- C:\Program Files\Common Files\AOL 2007-03-17 06:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-15 12:23:16 497496 --a------ C:\WINDOWS\system32\XceedZip.dll 2007-03-15 12:19:58 526184 --a------ C:\WINDOWS\system32\XceedCry.dll 2007-03-10 12:36:55 0 d-------- C:\Program Files\LastChaosUSA<LASTCH~1> 2007-03-08 08:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 08:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 08:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 06:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-25 15:15:01 0 d-------- C:\Program Files\Diablo II<DIABLO~1> 2007-02-25 15:14:44 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL> 2007-02-24 09:55:23 0 d-------- C:\Program Files\Kodak 2007-02-24 09:55:06 0 d-------- C:\Program Files\Common Files\Kodak 2007-02-05 13:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe" "igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe" "igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe" "Logitech Utility"="Logi_MwX.Exe" "itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\"" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE" "MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe" "MPFEXE"="\"C:\\Program Files\\McAfee.com\\Personal Firewall\\MPFTray.exe\"" "THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk] "backup"="C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE " "item"="EPSON Status Monitor 3 Environment Check 2" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] "backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe " "item"="Microsoft Works Calendar Reminders" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk] "backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe " "item"="Ulead Photo Express 4.0 SE Calendar Checker " [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Curt^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe] "backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup" "location"="Startup" "item"="PowerReg SchedulerV2" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AHQTB" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CTLauncher" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="InCD" "hkey"="HKLM" "command"="C:\\Program Files\\Ahead\\InCD\\InCD.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ADGJDet" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mcagent" "hkey"="HKLM" "command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="McUpdate" "hkey"="HKLM" "command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WksSb" "hkey"="HKLM" "command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WkDetect" "hkey"="HKLM" "command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mmtask" "hkey"="HKLM" "command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mm_tray" "hkey"="HKLM" "command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Money Express" "hkey"="HKCU" "command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MpfTray" "hkey"="HKLM" "command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MsnMsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NewsUpd" "hkey"="HKLM" "command"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvMcTray" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="oasclnt" "hkey"="HKLM" "command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Optimize Registration Reminder] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Reminder" "hkey"="HKLM" "command"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RealPlay" "hkey"="HKLM" "command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PDVDServ" "hkey"="HKLM" "command"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Skype" "hkey"="HKCU" "command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updreg" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mcvsshld" "hkey"="HKLM" "command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="mcmnhdlr" "hkey"="HKLM" "command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CTHELPER" "hkey"="HKLM" "command"="CTHELPER.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="wkfud" "hkey"="HKLM" "command"="C:\\Program Files\\Microsoft Works\\wkfud.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="YahooMessenger" "hkey"="HKCU" "command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "FirebirdServerDefaultInstance"=dword:00000003 "FirebirdGuardianDefaultInstance"=dword:00000002 "Creative Service for CDROM Access"=dword:00000002 "EPSONStatusAgent2"=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{C922E3DC-6239-4255-BFC0-A6D355B3873D}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoCDBurning"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] @="" "NoStartMenuMFUprogramsList"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwxyy [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of Deckard's System Scanner: finished at 2007-04-21 at 22:11:31 --------- I see way too many things I don't like here

04-22-2007, 09:45 AM	#2 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others Here's a few pop-ups Mcafee found recently lo1[1] ddcyy.dll awvvs.dll awtss.dll brskncys.dll jkhhf.dll - common recurring above were recognized as vundo exploit.bmp trojan XG9.exe some other incidents popped up as malformed archive trojan

04-23-2007, 06:15 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Deckard's System Scanner should also have produced a second log, extra.txt Please post it in your next reply. --------------------------------------------------------------------------------------------- I see you have more than one Anti-Virus program installed, NOD32 and McAfee. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other. Any antivirus program must be removed via add/remove program. For any program that doesn't have an add/remove entry, you will have to do this: re-install the program -> reboot -> uninstall ----------------------------------------------------------------------- Download ComboFix from one of these locations: http://www.techsupportforum.com/sect...s/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double click on ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply along with a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-23-2007, 08:31 PM	#5 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others Also of note, when I ran Combofix, windows installer started, and was trying to install Word Perfect office 12 which is already installed. The installer restarted itself several times after I cancelled installation each time.

04-23-2007, 09:12 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 5 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 Java 2 Runtime Environment, SE v1.4.2_03 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous versions when you update, nor tell you that you should. Leave Java(TM) SE Runtime Environment 6 Update 1 alone, as it is the most recent for version 6. Reboot after uninstall. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway O2 - BHO: (no name) - {96019D41-2A36-4222-8048-6401771C5C08} - C:\WINDOWS\system32\jkhhf.dll (file missing) O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start Close HijackThis now. --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\Documents and Settings\Curt\Favorites\Antivirus Test Online.url --------------------------------------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-24-2007, 06:57 PM	#9 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others It tries to configure Word Perfect 12, I'm assuming something may be missing from that program now as it was previously installed. I haven't let it continue and each time I cancel, it restarts, several times.

04-24-2007, 08:38 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Do you have the install disk? Let it run to completion. It may well repair what's missing. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-24-2007, 10:28 PM	#11 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others It came preloaded on the machine, but I'm sure I have the disk as well. If it's beneficial at this point, I will dig it out (of a box - recently moved)

04-24-2007, 10:35 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Let the installer run to completion and see if that fixes things. If it asks for the disk, you know you'll need to dig it out of the box. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-25-2007, 06:51 AM	#13 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others The installer ran, and configured Word. I rebooted, and also ran combofix again to see if the installer started up still, but that part appears to be fixed.

04-25-2007, 08:11 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Good work. It's more likely it was DSS and not ComboFix which was the cause. The author is aware, and has implemented a solution in the latest version so that if it does happen to others, it's more easily cured. The items found by Kaspersky are in System Restore points, which we'll take care of shortly...other than that, your logs appear clean. Well done. We still have a few items to address. Clear & Reset System Restore's Cache click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are a few very good free Antivirus products which are available: AOL Active Virus Shield (powered by Kaspersky Antivirus) Avast! AVG Avira PersonalEdition Classic Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial FIREWALL If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: Do not install more than one firewall program because they will conflict with each other. Comodo Personal Firewall ZoneAlarm In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-25-2007, 07:55 PM	#15 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others Thank you for the clear and concise instructions. I presently use Macafee, in your opinion, is AVG a better program? I have heard good things about it.

04-25-2007, 08:33 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,156 OS: 2000 Pro; XP Pro; XP Home	Re: Vundo and possibly others Any of the free AntiVirus solutions I listed above work well, AVG included. If McAfee is about to expire, you may want to give AVG a try. I've used it, and found it to be effective. You may want to have a look here: http://www.av-comparatives.org/seiten/home.html __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-25-2007, 08:47 PM	#17 (permalink)
got_bugs? Registered User Join Date: Apr 2007 Posts: 10 OS: XP	Re: Vundo and possibly others Thank you for that link, and all your help, as you didn't respond with additional instructions, do I have a clean bill of health? May I ask before you close this, what happens to money donated to the forum? I would like to contribute something, and would like to know where it goes.